Attorney Docket Ref: 41007.P005 

CLAIMS 

What is claimed is: 

1 1 . In a routing device, a method of operation comprising: 

2 receiving a packet sent by a client device destined for a server; 

3 independently determining whether said packet is a part of a conversation 

4 between the client and the server based at least in part on persistent information 

5 included in said packet; and 

6 handling the packet based at least in part on the result of said independent 

7 determination. 

1 2. The method of claim 1 , wherein said independent determination comprises 

2 independently verifying a conversation identifier included in said packet based at 

3 least in part on other information included in said packet. 

1 3. The method of claim 2, wherein said independent verification comprises 

2 independently regenerating the conversation identifier using at least said 

3 other information included in said packet; and 

4 comparing the independently re-generated conversation identifier with the 

5 included conversation identifier. 

1 4. The method of claim 3, wherein said conversation identifier is a nonce, and 

2 said independent re-generation comprises independently re-generating the nonce 

3 using a deterministic function with a sequence number of the nonce and a plurality 
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4 of persistent field values extracted from the packet, and a pre-provided secret value 

5 as inputs to the deterministic function. 

1 5. The method of claim 4, wherein said plurality of persistent field values 

2 comprise one or more of a source address, a destination address and a port 

3 number. 

1 6. The method of claim 4, wherein the method further comprises at least one of 

2 receiving into said routing device said secret value, and equipping/configuring said 

3 routing device with said deterministic function. 

1 7. The method of claim 4, wherein said independent generation is performed 

2 using a selected one of a message authentication code function and an universal 

3 hash function. 

1 8. The method of claim 4, wherein the method further comprises recording a 

2 time of first observation for the nonce if the nonce is a newly observed nonce. 

1 9. The method of claim 8, wherein the method further comprises determining if 

2 time has elapsed more than a predetermined threshold since a time of first 

3 observation was recorded for the nonce, if the extracted nonce and the 

4 independently generated nonce are deemed to be the same. 

1 1 0. The method of claim 1 , wherein the method further comprises forwarding the 

2 packet to the server if the packet is deemed to be a part of a conversation between 
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3 the client device and the server, and non-forwarding the packet if the packet is 

4 deemed not a part of a conversation between the client device and the server. 



1 11. In a server, a method of operation comprising: 

2 generating an independently verifiable conversation identifier for a packet 

3 destined for a client device, using at least persistent information that will be included 

4 in said packet; 

5 including the independently verifiable conversation identifier with said packet 

6 for use by the client device to include in a subsequent packet sent by the client 

7 device destined for the server; and 

8 transmitting said independently verifiable conversation identifier included 

9 packet to said client device. 

1 12. The method of claim 1 1 , wherein said generation of an independently 

2 verifiable conversation identifier comprises: 

3 generating a sequence number for a nonce; and 

4 generating the nonce as the independently verifiable conversation identifier 



5 for the packet using a deterministic function with the sequence number, a plurality of 

6 persistent field values of the packet, and a secret value as input values to the 

7 deterministic function. 

1 1 3. The method of claim 1 2, wherein said plurality of persistent field values 

2 comprise one or more of a source address, a destination address and a port 

3 number. 

1 14. In a client device, a method of operation comprising: 
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2 receiving a packet a from a server; 

3 extracting from the packet at least an independently verifiable conversation 

4 identifier included in the packet by the server for inclusion in a subsequent packet of 

5 the client device for the server, to allow one or more intermediate routing devices to 

6 be able to independently determine whether to permit continuing forwarding of the 

7 subsequent packet of the client device to the server; and 



8 saving said extracted at least independently verifiable conversation identifier 

9 for said subsequent use. 

1 15. The method of claim 14, wherein the method further comprises 

2 retrieving at least a saved independently verifiable conversation identifier; 

3 including the retrieved independently verifiable conversation identifier in a 

4 packet to be sent to the server; and 

5 transmitting the independently verifiable conversation identifier included 

6 packet to the server. 

1 1 6. The method of claim 14, wherein said extracting comprises extracting an 



2 included nonce and an associated sequence number of the nonce, the nonce being 

3 independently verifiable by a party using a deterministic function and having 

4 knowledge of a secret value, based on persistent information included the packet. 



1 17. A routing apparatus comprising: 

2 an interface to receive a packet sent by a client device destined for a server; 

3 and 

4 a function unit coupled to the interface to independently determine whether 

5 said packet is a part of a conversation between the client and the server based at 
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6 least in part on persistent information included in the packet, and output a packet 

7 disposition signal based at least in part on the result of said independent 

8 determination. 

1 18. The routing apparatus of claim 17, wherein said function unit is to designed to 

2 make said independent determination by independently verifying a conversation 

3 identifier included in said packet based at least in part on other information included 

4 in said packet. 

1 19. The routing apparatus of claim 18, wherein said function unit comprises 

2 an identifier generator to independently regenerate the conversation identifier 

3 using at least said other information included in said packet; and 

4 a comparator coupled to the identifier generator to compare the 

5 independently re-generated conversation identifier with the included conversation 

6 identifier. 

1 20. The routing apparatus of claim 1 9, wherein said conversation identifier is a 

2 nonce, and said identifier generator is designed to independently re-generate the 

3 nonce using a deterministic function with a sequence number of the nonce and a 

4 plurality of persistent field values extracted from the packet, and a pre-provided 

5 secret value as inputs to the deterministic function. 

1 21 . The routing apparatus of claim 20, wherein said identifier generator 

2 comprises a deterministic function. 

1 22. A server comprising: 
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2 at least one processor; and 

3 a communication interface coupled to the processor to transmit packets to 

4 one or more client devices on behalf of the processor including 

5 a generator to generate an independently verifiable conversation identifier 

6 for a packet destined for one of said one or more client devices, using 

7 at least persistent information that will be included in said packet, 

8 a summing unit to insert the independently verifiable conversation 

9 identifier with said packet for use by the particular client device to 

10 include in a subsequent packet sent by the client device destined for 

1 1 the server and 

12 a transmitter to transmit said independently verifiable conversation 

13 identifier included packet to said particular client device. 

1 23. The apparatus of claim 22, wherein said generator comprises 

2 a counter to generate a sequence number for a nonce; and 

3 a deterministic function unit to generate the nonce as the independently 



4 verifiable conversation identifier for the packet using the sequence number, a 

5 plurality of persistent field values of the packet, and a secret value as input values. 

1 24. The apparatus of claim 23, wherein said plurality of persistent field values 

2 comprise one or more of a source address, a destination address and a port 

3 number. 

1 25. The apparatus of claim 23, wherein said deterministic function is a selected 

2 one of a message authentication code function and an universal hash function . 
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1 26. A client device comprising: 

2 a processor; and 

3 a communication interface coupled to the processor to send and receive 

4 packets on behalf of the processor, including 

5 a transceiver to receive a packet a from a server, 

6 an extractor coupled to the transceiver to extract from the packet at least 

7 an independently verifiable conversation identifier included in the 

8 packet by the server for inclusion in a subsequent packet of the client 

9 device for the server, to allow one or more intermediate routing 

10 devices to be able to independently determine whether to permit 

1 1 continuing forwarding of the subsequent packet of the client device to 

12 the server, and save said extracted at least independently verifiable 

13 conversation identifier for said subsequent use. 



1 27. The client device of claim 26, wherein the communication interface further 

2 comprises a function unit to retrieve at least a saved independently verifiable 

3 conversation identifier, and insert the retrieved independently verifiable conversation 

4 identifier in a packet to be sent by said transceiver to the server. 

1 28. The client device of claim 26, wherein said extractor is designed to extract an 

2 included nonce and an associated sequence number of the nonce, the nonce being 

3 independently verifiable by an intermediate party using a deterministic function and 

4 having knowledge of a secret value, based on persistent information included the 

5 packet. 
1 



Wetherall - Independent Detecting & 
Filtering of Undesirable Packets 



23 



Express Mail Label No: 
EL743034513US 



